CMMI Consultant Blog

CMMI Frequently Asked Questions and their responses from CMMI Consultant(s)

  • Home
  • CMMI FAQ
  • CMMI Services
  • About Rajendra Khare
  • « Go to Parent Site – DQSIndia.com

Search CMMI Consultant Blog




As CMMI Consultant you may be asked what are the Data Privacy Acts available / applicable globally. As CMMI Consultant you can use the information given below to answer:

Information Security, Standards 0


15th July, 2019

In growing international business market, the privacy of personnel information of an Individual has becoming very critical and globally different countries have come-up with different laws related to information privacy laws/data protection laws to secure the data of an individual. Currently more than 80 countries including all Europe, America, Some Latin America countries, Asia, Africa and Other Independent Territories are implementing data protection/privacy rules. The details are as under:

Europe: European Union is the first to come with a comprehensive standard in April 2016 known as General Data Protection Regulation and same in Implementation since May 2018 with objective to focus on the fundamental rights and freedoms of persons to the protection of their personal data and free movement of personal data. The GDPR Act provides more control to individuals towards their personal data. It also unifies the regulation within the EU and thus provides a simplified regulatory environment for international business. This act will apply on all the EU members states.

United State: United Sate was the first to come-up with fair information practice principles in 1970. There is no single comprehensive law regulating the acquisition, storage, or use of personal data in the U.S. Still there are in USA but still there are several federal laws applicable in different areas.

List of USA applicable laws, regulations and directives related to the protection of information systems is as under: U.S. Fair Credit Reporting Act., U.S. Racketeer Influenced and Corrupt Organization (RICO) Act, Family Educational Rights and Privacy Act (FERPA), U.S. Privacy Act, U.S. Medical Computer Crime Act, U.S. Federal Computer Crime Act, U.S. Computer Fraud and Abuse Act, U.S. Electronic Communications Privacy Act (ECPA), U.S. Computer Security Act (Repealed by the Federal Information Security Management Act of 2002), 1988 U.S. Video Privacy Protection Act, United Kingdom Computer Misuse Act, U.S. Federal Sentencing Guidelines, OECD Guidelines to Serve as a Total Security Framework, Communications Assistance for Law Enforcement Act, Council Directive on Data Protection for the European Union (EU), U.S. Economic and Protection of Proprietary Information Act, Health Insurance Portability and Accountability Act (HIPAA), U.S. Digital Millennium Copyright Act (DMCA), U.S. Uniform Computer Information Transactions Act (UCITA), U.S. Congress Electronic Signatures in Global National Commerce Act (“ESIGN”), U.S. Provide Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act, Homeland Security Act (HSA) and Federal Information Security Management Act.

USA developed Safe Harbor Framework to maintain bridge with different privacy approaches between USA and countries of European Union.

Canada: In Canada The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out the ground rules on how businesses must handle personal information in the course of commercial activity. ac The PIPEDA brings Canada into compliance with EU data protection law.

Australia: Data Privacy Act in Australia regulates the handling of the personal information.

China: Cybersecurity Law and China Data Protection Regulations (CDPR) indicates focus of China in cybersecurity and personal data protection.

India: In India usage of personal data or information of citizens is regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, under Section 43A of the Information Technology Act, 2000. In year 2018 Indian Government has come up with a Personal Data Protection Bill 2018 based on the recommendations of Justice Sri Krishna Committee and clues from EU’s GDPR and regulations from other countries. The Bill is still not passed.

ISO 27552 – Standard for Privacy Information Management System (PIMS):

International Organization for Standardization through its Technical committee ISO/IEC JTC 1/SC 27 come up with a new standard ISO/IEC 27552 as privacy extension to ISO 27001 Standard. The ISO/IEC 27552 provides additional requirements to establish, implement, maintain, and continually improve the Privacy Information Management System. The standard gives framework for PII Controllers and Processors to manage the privacy controls and reduce the risk to the PII.

The Standard is having the following annexures showing mapping with different standards:

Annexure A:     Contains specific objectives and controls for PII Controllers.

Annexure B:     Contains specific objectives and controls for PII Processors

Annexure C:     Contains Mapping of article 5 to 42, 44 to 49 of GDPR Act.

Annexure D:     Provides a mapping to ISO/IEC 29100 Information technology — Security techniques — Privacy framework

Annexure E:     Provide mapping of ISO/IEC 27552 controls against ISO/IEC 27018 – code of practice that focuses on protection of personal data in the cloud and mapping against ISO/IEC 29151 Information technology — Security techniques — Code of practice for personally identifiable information protection

Annexure F:      Explains terms and alternative terms

Annexure G:     Provide guidance on how to implement ISO/ICE 27552 to both ISO/IEC 27001 and ISO/IEC 27002

 

This standard is expected to be published in 2019 and will be good tool for the organizations to implement Privacy Information Management System (PIMS).

Share this:

  • Click to email this to a friend (Opens in new window)
  • Click to print (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Reddit (Opens in new window)

Like this:

Like Loading...

Related


Published by CMMI Consultant


China Data Protection Regulations, cmmi consultant, Cybersecurity Law, Data Privacy Acts, General Data Protection Regulation, ISO 27552, Personal Information Protection and Electronic Documents Act



Previous Post

As a CMMI Consultant you might have come across the question about the difference between ISO/IEC 20000-1:2011 and ISO/IEC 20000-1:2018. As CMMI Consultant you can take guidance from the information below:

Next Post

As CMMI Consultants, we may come across questions related to the definition of “Risk” and basic concepts on determination of Risk. During a meeting held on Process models like CMMI, we found some questions arising out of Risk Management in CMMI. We decided to clarify the definitions on this topic of “Risk” As CMMI Consultant you may take guidance from the details below:

Leave a Reply Cancel reply


Sidebar

NO WIDGETS FOUND!

Go to Appearance > Widgets and add some widgets to the "Main Sidebar"

© 2021 Copyright © 2017 CMMI Consultant Blog.
Back to top
loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
%d bloggers like this: